llllltlllllllllllllllllllBII 

US005991878A 

United States Patent [i9] [ii] Patent Number: 5,991,878 

McDonough et al. [45] Date of Patent: Nov. 23, 1999 



[54] CONTROLLING ACCESS TO INFORMATION 

[75] Inventors: John C. McDonough, Braintree; 

Thiagarajan Sara van an, Westborough; 
Michael P. Amatuccl, Bolton; Louis A. 
Iannuccl, Hudson; David M. Ingham, 

Newton, all of Mass. 

[73] Assignee: FMR Corp., Boston, Mass. 

[21] Appl. No.: 08/925,212 
[22] Filed: Sep. 8, 1997 

[51] Int. CI. 6 ; G06F 17/30; H04L 9/00 

[52] U.S. CI 713/200; 707/9 

[58] Field of Search 713/200, 201, 

713/202; 707/9, 10 



Freier et al, "The SSL Protocol Version 3.0/' http:// 
home .netscape.com/eng/ssl3/ss;-toc. html, 3 pages, Mar. 
1996. 

"Netscape Data 8600141/', http://cgi.netscape.com/newsref/ 
re^netscape-security.html, 4 pages, 1997. 

"Persistent Client State HTTP Cookies", http://cgi.netscape- 
.com/newsref/std/cookie_spec.html, 5 pages, 1997. 

"Basic HTTP as defined in 1992", http://www.w3.org/pub/ 
WWW/Protocols/HTTP/HTTP2.html, 31 pages, 1992. 

Berners-Lee, "Hypertext Transfer Protocol — HTTP/1.0", 
http://ds.internic.net/rfc/rfcl945.txt, 53 pages, May 1996. 

Fielding, "Hypertext Transfer Protocol — HTTP/1.1", 
hUp://www.w3.org/pub/WWW/Protocols/rfc2068/rfc2068, 
143 pages, Jan. 1997. 



[56] References Cited 

U.S. PATENT DOCUMENTS 



5,159,685 10/1992 Kung 395/575 

5,287,505 2/1994 Calvert et al 395/600 

5,548,715 8/1996 Maloney et al 395/183.04 

5,664,106 9/1997 Caccavale 395/200.54 

5,805,803 9/1998 BLrrell et al 713/202 

5,875,296 2/1999 Shi et al 713/202 

FOREIGN PATENT DOCUMENTS 

0 474 058 A2 11/1992 European Pat. Off G06F 11/00 

0 747 840 Al 11/1996 European PaL Off G06F 17/30 



OTHER PUBLICATIONS 

Netscape's DDE Implementation, http://www.netscape- 

.com/newsrefystd/ddeapi.html, Mar. 1995, 14 pages. 

PCT Search Report dated Sep. 28, 1998. 

Rivest, "The MD5 Message-Digest Algorithm", http:// 

andrew2.andrew.cmu.edu/rfc/rfcl321.html, 25 pages, Apr. 

1992. 



Primary Examiner — -Thomas M. Heckler 
Attorney, Agent, or Firm — Fish & Richardson PC. 

[57] ABSTRACT 

Methods are provided for controlling access to information 
in a distributed computing system . A request for the infor- 
mation is received and is accompanied by encrypted session 
state data. Based on the encrypted session state data, it is 
determined whether to pass the request on to a source of the 
information. In a memory buffer, old data is replaced by 
overwriting with a unique identifier. After the memory buffer 
has received new data and a procedure has been executed for 
copying the contents of the memory buffer to a destination, 
it is determined whether the unique identifier may be found 
at the destination. 

28 Claims, 6 Drawing Sheets 

Microfiche Appendix Included 
(1 Microfiche, 84 Pages) 



\ 



FROM A USER AT A CLIENT COMPUTER, 
RECEIVE A REQUEST FOR FORMATION 
1 

1010 




I PROVIDE A LOGIN DISPLAY ( 



RECEIVE A SOCIAL SECURITY NUMBER 
AMD A PIN NUMBER FROM THE 
CLIENT COMPUTER 




DETER MJNE AUTHORIZATION 
OETAtLS FOR THE USER 



BASED ON THE AUTHORIZATION DETAILS, 
CREATE A 5U8COOKIE FOR £ACH OF THE 
FOLLOWING: A TICKET, AN AUTHORIZED 
REALM INDICATOR, THE SSN, AUTHORIZED 

APPLICATION CODES, APPL1CATION- 
SPECtFIC DATA, AND AN EXPIRATION TIME 



© 



BASED ON AN ENCRYPTION SCHEME. 
CREATE A COOKIE (NAMED "PRIVATE") 
FROM THE SU3 COOKIES 



PROVIDE A RESPONSE 
INDICATING THAT 
ACCESS IS DENIED 



PROVIDE THE COOKIE TO THE 
CLIENT COMPUTER 



1090 
_1100 



11/20/2003, EAST Version: 1.4.1 



U.S. Patent 



Nov. 23, 1999 



Sheet 1 of 6 



5,991,878 



39 



CLIENT COMPUTER 



COOKIE 
MEMORY 



BROWSER 



M2 
28 



10 



WEB SERVER 
NETWORK 



WEB SERVER 
COMPUTER 



30 



SERVER SYSTEM 



16 



31" GATEKEEPER 



| WWW.XYZ.COM 



26. 



1 



14 



AUTHENTICATION 
SERVER 



AUTHENTICATOR 
APP 



42 



-40 



J 



BACK END 
NETWORK 



APP "AB1"-32 



BACK-END SERVER 
COMPUTER 

"...ACCOUNTS/AB" 



APP "AB2" 



.34 



BACK-END SERVER 
COMPUTER 

"...ACCOUNTS/AB" 



APP "CD1".36 



18 

"WWW.XYZ.COM/ACCOUNTS" 



20 



BACK-END SERVER 
COMPUTER 



"...ACCOUNTS/CD" 

1 

22 



1 



T 

44 



FIG. 1 



| W\ 



APP "EF" 



,38 



BACK-END SERVER 
COMPUTER 

"...PURCHASING/EF"" 



1 



24 



W WW.X Y Z.COM/PURCHAS ING | 



11/20/2003, EAST Version: 1.4.1 



U.S. Patent Nov. 23, 1999 Sheet 2 of 6 



5,991,878 











UJ 


LU 










LU 


< 




I 


> 




u 

CO 


XL 

a_ 


to 

LU 


Z 






o 


Q 


o 


lid 


IAME 


CO 


> 


CO 


a: 


z 


Z) 


U 


to 


Z 


LU 


LU 


LU 


I 


Z 


o 




< 


0 

u 




z 




0 


o 


< 


LU 


O 


LU 




LU 

CO 


< 




< 

CO 


CRE 






0£ 






LU 

m 








LU 

X 










Z 






>- 
t- 


0 


UJ 




0£ 

li- 


»- 






D 


SEC 


BER 


)MP 




D 
Z 

Z 




OCIAL 


ENT C 


uo 






< 


< 


u 


IVE 


ND 




UJ 

U 


< 




LU 













< 



11/20/2003, EAST Version: 1.4.1 



U.S. Patent 



Nov. 23, 1999 



Sheet 3 of 6 



5,991,878 




11/20/2003, EAST Version: 1.4.1 



U.S. Patent Nov. 23, 1999 Sheet 4 of 6 5,991 



Value example 


0000000068$LOG1$AUTH1 


/ACCOUNTS 


000-00-0000 


AB&CD 


AB2 


19970601230000 


E 
























































J£ 














O 














O 

o 




tr 




< 


Q 




XI 


fe* 








v» 






CQ 


CD 


CD 


CD 


CD 


Q. 


CO 


—I 




-J 


_J 


—1 


CO 



o lu 

o t~ £ CO 

/O CD 00 

ii / ii i: o 

o — i o > < £ 

in 

CL CQ 



11/20/2003, EAST Version: 1.4.1 



U.S. Patent 



Nov. 23, 1999 



Sheet 5 of 6 



5,991,878 



39 



CLIENT COMPUTER 



COOKIE 
MEMORY 



BROWSER 



28 



12 



16 



WEB SERVER NETWORK 



^14 



78 



80, 



WEB SERVER 
VARIABLE- 
SIZE BUFFER 



WEB SERVER 
FIXED-SIZE 
BUFFER 



49 



WS MEMORY 



30 



56 



SERVER SYSTEM 



WS 
OS 



46 



X 



WEB SERVER 
REGISTRY 



31 

GATEKEEPER 



BACK-END 
APPLICATION 
REGISTRY 
1 



RPC CLIENT 



57 

WEB SERVER 
COMPUTER 



48 



1 



.26 



BACK END NETWORK 



.20 



58 



BACK-END 
VARIABLE- 
SIZE 
BUFFER 



BACK-END 
FIXED-SIZE 
BUFFER 



7 

60 



B-E MEMORY 



54 



1. 



B-E 
OS 



50 



RPC SERVER 
I 



BACK-END 

SERVER 
COMPUTER 



GATEKEEPER 
INTERFACE 



GLOBAL 
VARIABLE 



BACK-END 
APPLICATION 




FIG. 4 



11/20/2003, EAST Version: 1.4.1 



.S. Patent 



Nov. 23, 1999 



Sheet 6 of 6 



5,991, 



o 


TP 


O 


TT 


cn 


TP 


TP 




VP 


o 


O 


a 


cn 


Lu 


c 


CM 


TP 


VD 


m 


O 




CM 


m 


TP 


cn 


1 

OlCQ ro 


CD 




lo 


in 


vo 


lO 


TP 






ro 


ro 


CO 


TP 


ro 


o 


CM 




VD 


in 


CM 


VP 


CM 


VP 


VD 


vo 


ro^Tp tp 


k_ 




to 


o 


a 


CS 


1— 1 


ro 




o 


O 


CQ 


U 


o 




Q 


Lu 


cn 


CQ 


TP 


O 


O 


TP 


i — l 


ro 




cn 


O 


Tp 


ro 


CM 


tp 


TP 


^* 


TT 


TT 


ro 


CO 


Tp 


TP 


ro 


ro 


ro 


CM 


VD 


in 


r- 


vo 


in 




VD 


r- 


o 


°i* 


00 


lO 


in 


TP 


o 


tp 


m 


r- 


KP 


o 


CO 


UJ 


r-t 


o 


est 


ro 


ro 


r- 


CM 


LO 


in 


in 


r-i 


CM 


ro 


o 


Ol Tf 


in 






id 


CM 


in 








ro 


CM 


Tp 




ro 




vo 


r— 


vo 


CM 


VD 


vo 


vo 


VO 






o 


oj m 




00 


U 


L0 


CQ 


Lu 


CO 


<NJ 


V£) 


o 


a 


cn 


O 


O 


m 


CM 


VD 


L0 


D 


m 


TP 


ro 


o 


TP 


cn 


CO 


L0i tp 




tp 


tt 


VO 


vo 


CM 


TP 


TP 


TP 


ro 


ro 


TP 


CM 


ro 


VD 


r» 


VD 


CM 


ro 


VD 


VD 


VP 


in 


uO 


vo 


ro 


roj in 




CJ 


tp 


<-H 


<N 


u 


Cm 


o 


VP 


ro 


CQ 


u 


ro 


O 


TP 


ro 


cn 


CM 


TP 


TP 


»-l 


cn 


to 


o 


o 


CM 


CM, m 




ro 


ID 


VO 


r- 


ro 


CM 


CM 


TP 


CM 


TP 


TT 


TP 


ro 




r- 


vo 


r- 


r- 


r* 


VD 


vo 


CO 


CM 


TP 


CO 


r-' tt 

1 




CO 


CT\ 


o 


*— i 


< 


CJ 


cn 


VD 


a 


L0 


\£> 


ro 


*JD 


bJ 


o 


r- 




O 




CM 


vo 


CM 




o 


CO 


in, CQ 




m 


Tp 


CM 


VD 


ro 


ro 


in 


TP 


ro 


TP 


in 


TP 


TP 


VD 


CM 


& 


VP 


VP 


VP 


r- 


VD 


ro 


VO 


CM 


TP 


VD 1 TT 




CJ 


Tp 


tp 


a 


U 


< 


TP 


CO 


TP 


cn 


o 


KD 


VD 


LO 


r- 


Lu 


CM 


tH 


O 


TP 


VD 


CD 


CO 


CQ 


Lu 


Tpj CO 




TP 


m 


r* 




U) 


O 


TP 


CM 


m 


TP 


CM 


ro 


TP 


<D 


VD 


CM 


VD 


VD 


in 


m 


VD 


TP 


VD 


VD 


CM 


r-l tt 




a 


u 


Ed 


in 


U. 


o 


Cju 


Q 


CO 


u 


VX> 




CO 


ro 


Q 


CM 


in 




o 


o 


Lu 


u 


rH 


CM 


CJ 


co| cn 




TT 


ro 


VD 


vo 




o 


TP 


ro 


m 


TT 


TP 


ro 


CM 


<0 


VD 


VD 


VD 


o 


CM 


CM 


TP 


ro 


VD 


r~ 


ro 


vol tt 




TT 


<£ 


in 


TP 


cn 




CM 


CM 


tn 


a 


ID 


O 


O 


O 


cn 


in 


CJ 


Q 


CJ 


TP 


o 


< 


O 


r-t 


< 


in' tt 




uD 


o 


vo 


VO 


ID 


ro 


tT 


m 


TP 


CM 


TP 


ro 


ro 


ro 


VD 


VD 


vo 


O 


CM 


VO 


CM 


o 


CM 


VO 


ro 


vol in 




CD 


Q 


tp 




ro 


in 


CJ 


Lu 


TP 


o 


o 


o 


QQ 


tX. 


CJ 


r* 


TP 


o 


ro 


L0 


CQ 


Q 


TP 


a 


CO 


ro' tt 




TT 


o 


r- 


VO 


r- 


TP 


CO 


TT 


m 


ro 


ro 


ro 


TP 


o 


ro 


r- 


r- 


CM 


in 


VD 


VD 


O 


r- 


VP 


VO 


vo| in 




u 


to 


rH 


CM 


ro 


CJ 


Ul 


CJ 


o 


O 


o 


CO 






eC 


Lu 


cn 


CM 


W 


r— 1 


CM 




w 


in 


Lu 


Cul in 




ro 


rO 


VO 


e'- 


r~ 


TT 


ro 


TP 


CM 


ro 


ro 


CM 


TP 


c 


o 


CM 


VD 


CM 


CM 


VO 


r- 


ro 


VD 


VP 


VO 


CM| tP 




<> 


o 






















































CD 




CO 


ro 


en 




TP 


m 


CO 


ro 


cn 


TT 


TP 


in 


CO 


ro 


cn 


TP 


TT 


m 


CQ 


ro 


cn 


TP 


TP 




CQ CO 




tp 


Tp 


tp 


tp 


in 


t-O 


TP 


TT 


TP 


TP 


in 


in 


TT 


TP 


TP 


TP 


m 


m 


TT 


TP 


TP 


TP 


m 


m 


TP 




O 


ca 


ro 


cn 


TT 




m 


CQ 


ro 


ai 


TP 


TP 


in 


CQ 




cn 


TP 


TT 


in 


CQ 


ro 


cn 


TT 


TP 


m 


CQ 


roi cn 




TT 


tp 


tp 


in 


in 


TP 


TP 




TP 


m 


in 


TP 


TP 


TT 


TP 


m 


in 


TT 


TP 


TT 


TP 


m 


m 


TP 


TP 


'i* 


CO 






















































ID 


ro 


cn 


tp 


TT 


in 


CQ 


CO 


CTi 


TP 


TP 




CQ 


ro 


cn 




TP 


in 


CQ 


ro 


cn 


TP 


TP 


m 


CQ 


CO 


enj tt 




TP 


TT 


m 


in 




TP 


TT 


TT 


m 


m 


TP 


TP 


TP 


TP 


m 


m 


TP 


TP 


TP 


TT 


m 


m 


TP 


TP 


TP 


tTj m 




cn 


TT 


tp 


m 


CD 


ro 


cn 


TP 


TP 


m 


CQ 


ro 


cn 


TT 


TT 


in 


CQ 


CO 


cn 


TP 


TP 


in 


CQ 


ro 


cn 


TP 1 TP 




TT 


in 


in 


tp 


^p 


TT 


TP 


in 


m 


TP 


TP 


TP 


TP 


m 


m 


TT 


TP 


TP 


TP 


in 


m 


TP 


TP 


TP 


TP 


uV m 




TT 


TT 


m 


CD 


ro 


cr> 


TP 


TP 


m 


CQ 


ro 


cn 


TT 


TT 


m 


CQ 


CO 


cn 


TP 


TP 


m 


CQ 


ro 


cn 


TP 


tpj m 




ao 


in 


tp 


tt 




TT 


in 


m 


TP 


TP 


TP 


TP 


in 


m 


TP 


TP 


TP 


TT 


in 


m 


TP 


TP 


TP 


TP 


m 


m 1 tp 
1 




TP 


m 


ca 


ro 


<J\ 


TP 


TP 


m 


CQ 


ro 


cn 


TP 


TT 


lO 


CQ 


ro 


0^ 


TP 


TP 


m 


CQ 


CO 


cn 


TP 


TP 


m, ca 




lO 


TT 


tp 


TP 


TP 


in 


in 


TT 


TP 


TP 


TT 


in 


m 


TP 


TP 


TP 


TP 


in 


LO 


TP 


TP 


TP 


TP 


m 


in 


TP ' TP 




m 


m 


ro 


cn 


TP 


TP 


m 


CQ 


ro 


cn 


TP 


TP 


m 


cc 


ro 


cn 


TP 


TP 


m 


QQ 


CO 


cn 


TP 


TP 


m 


CQ. ro 




TP 


TT 


TP 


tt 


m 


in 


TP 


TP 


TP 


TP 


m 


in 


TT 


TP 


TP 


TP 


m 


in 


TP 


TP 


TP 


TP 


in 


in 


TP 


TPI TP 




03 


ro 


cn 


tt 


TT 


m 




ro 


CTt 


TP 


TP 


in 


CO 


ro 


cn 


TP 


TP 


m 


CQ 


ro 


cn 


TT 


TP 


in 


CQ 


ro[ cn 




tp 


TP 


TP 


m 


m 


TP 


TP 


TP 


TP 


in 


in 


TP 


TT 


TP 


TP 


m 


m 


TP 


TP 


TP 


TP 


in 


in 


TP 


TT 


TIM TP 




co 


CTi 


tp 


tp 


in 


CQ 


ro 


CJ\ 


«T 


TP 


m 


CQ 


ro 


cn 


TP 


TP 


m 


CO 


ro 


cn 


TP 


TP 


m 


CQ 


ro 


cn' tp 




tp 


TT 


in 


m 


TP 


TP 


TP 


TP 


Ul' 


in 


TP 


TP 


TP 


TP 


in 


in 


TP 


TP 


TP 


TP 


in 


in 


TP 


TP 


TP 


ttI in 




cn 


tp 


TP 


m 


CQ 


ro 


<J\ 




TT 


in 


CQ 


ro 


cn 




TP 


uo 


m 


ro 


cn 


TP 


TP 


m 


CQ 


ro 


cn 


Tp' TP 




TT 


m 


in 




TP 


TP 


TT 


in 


LO 


TP 


TP 


TP 


TP 




m 


TP 


TT 


TP 


TP 


un 


m 


TP 


TP 


TP 


TP 


in| in 




Tf 


TP 


m 


co 


ro 


cn 


TP 


TP 


UO 


CQ 


ro 


cn 


TP 


TP 


m 


CD 


ro 


cn 


TP 


TP 


m 


CQ 


ro 


cn 


TP 


tp' m 




ID 


in 


tp 


tp 


TP 


TT 


m 


m 


Tp 


TT 


TP 


TP 


in 


m 


TP 


*T 


TT 


TP 


m 


m 


TP 


TP 


TP 


TP 


m 


m| tp 




<> 


o 


Tp 


Cu 


ro 


Tp 


TT 


TT 






O 


o 


o 


cn 


uJ 


a 


CM 


TP 


VD 


ro 


w 


CQ 


Q 


UO 


o 


CO 


ro 


1 

| O CM 


CD 


TP 


tp 


m 


TT 


m 


TP 


TT 


TP 


ro 


ro 


ro 


TP 


ro 


o 


CM 


r- 


VD 


in 


VD 


vo 


O 


in 


CM 


CM 


VD 


^V0 KO 


w 

O 


r-H 


CO 


ro 


Lu 


ON 




ro 


l£> 


o 


O 


CQ 


CJ 


O 


L0 


Q 


Lu 


cn 


L0 


i-H 


CM 


LO 


CM 


LO 


a 


U 


cn| m 




TT 


ro 


m 


TT 


TT 


TP 


TT 


TT 


ro 


ro 


TP 


TP 


ro 


ro 


ro 


CM 


VO 


CM 


VD 




ro 


TP 


TP 


ro 


ro 


VDj VD 


00 


in 


m 




CM 


TP 


m 


r~- 


k£> 


o 


CO 


U 


i—i 


O 


CM 


ro 


ro 


r- 


m 


O 




CM 


o 


rH 


CQ 


< 


CJ| r- 


LO 


tt 




tp 


in 


m 


TP 


TT 


TP 


ro 


CM 


TP 


TP 


ro 




ID 


r- 


vo 


m 


CM 


VD 


CM 


CM 


TT 


TP 


o 


rO| r- 


V 


CO 


u 


CO 


tp 


Lu. 


00 


CM 


vx> 


o 


a 


cn 


O 


O 


lO 


CM 


VD 


CO 


CO 


TP 


a 


Q 


CM 


O 


LO 


a 


<\ u. 




TP 


TP 


tj< 


m 


CM 


TP 


TP 


TT 


CO 


CO 


TP 


CM 


ro 


VC 




VD 


CM 


m 


r- 


VD 


m 


m 


CM 


TP 


o 


Oj CM 




u 


TT 


cn 


co 




lu 


o 




ro 


CQ 


CJ 


ro 


o 


TT 


ro 


cn 


CM 


CM 


LO 


m 


m 


m 


< 


cn 


CO 


Q, CM 




ro 


in 


TP 


TT 


ro 


CM 


CM 


TP 


CM 


TT 


TP 


TP 


ro 






VD 


r- 


CM 


VO 


VP 


vo 


in 


ro 


TP 


ro 


O 1 CM 




W 


cn 


ro 


cn 




U 


a\ 




a 


UJ 


v£) 


ro 


VD 


LC 


O 


r- 




a 


in 


Tf 


ro 


Lu 


ro 


U 


o 


CO. Q 




CO 


tt 


in 


TT 


TP 


m 


in 


TP 


CO 


TP 


in 


TP 


TT 


VC 


CM 


vo 


VD 


ro 


vo 


VD 


VP 


TP 


in 


TP 


ro 


ro' ro 




U 


^* 


lO 


o 




< 


TT 


ro 


TP 


cn 


o 


<£) 


VD 


m 




Cu 


CM 


TP 






cn 


L0 


ro 


rH 


O 


cm! ro 




tt 


in 


m 


CM 


TT 


o 


TP 


CM 


in 


TP 


CM 


CO 


TT 


VD 


ID 


CM 


VD 


r- 


r- 


VP 


VP 


ro 


in 


TP 


ro 


r-1 vo 




Q 


cj 


CM 


UJ 


cn 


a 


Lu 


a 


CO 


CJ 




VD 


ro 


ro 


Q 


CM 


m 


U 


»— i 


CM 


VD 


CM 


in 


O 


o 


in| cm 




tt 


ro 


TP 


TP 


TT 


o 


TP 


CO 


in 


TJ» 


TT 


ro 


CM 


VD 


VD 


VD 


VD 


vo 


VD 


r- 


vo 


ro 


TT 


CM 


ro 


vol r- 




tT 


ft 


o 


i— 1 


TP 


Ul 


CM 


CM 


in 


o 


VO 


o 


Q 


CJ 


cn 


in 


U 


<-t 


O 


Tp 


VO 


CO 


L0 


TP 


o 


tt' ro 




lO 


o 


CM 


TP 


m 


ro 


TP 


in 


Tp 


CM 


TP 


ro 


ro 


*o 


vo 


VD 


VD 


vo 


in 


in 


vo 


vo 


TT 


m 


ro 


r-l r- 




00 


Q 


CN 


o 


ro 


m 


o 


Lu 


TP 


O 


o 


O 


CO 


fZ 


CJ 


r* 


TT 


o 


o 


o 


Lu 


CJ 


cn 


CO 


vo 


co' o 




TT 


o 


m 


CM 


TT 


TT 


ro 


TT 


m 


ro 


ro 


ro 


TT 


o 


ro 


r~ 


r- 


CM 


CM 


CM 


TP 


CO 


TT 


TP 


TP 


VP) CM 




O 


to 


in 




in 


u 


Li] 


CJ 


o 


o 


o 


ro 






< 


Lu 


cn 


CM 


L0 


TP 


o 


< 


ro 


cn 


vo 


in' r- 




cn 


rO 


m 


ro 


m 


TP 


CO 


TP 


CM 


ro 


ro 


CM 


TT 




o 


CM 


vo 


CM 


CM 


VD 


CM 


o 


in 




TP 


VO| vo 



o 



o 



UJ 

cn t lu 

LU = ^ 

u- g o 



o 

is 



11/20/2003, EAST Version: 1.4.1 



5,9! 

1 

CONTROLLING ACCESS TO INFORMATION 

REFERENCE TO MICROFICHE APPENDIX 

An appendix forms part of this application. The appendix, 
which includes a source code listing relating to an embodi- 
ment of the invention, includes 84 frames on 1 page of 
microfiche. 

BACKGROUND OF THE INVENTION 

The invention relates to controlling access to information. 

Browser software such as Netscape® Navigator™ allows 
a computer system to request, retrieve, and display pages of 
information from a World-Wide Web ("Web") server com- 
puter across the Internet. In a response to an initial request 
for one of the pages of information, the Web server computer 
provides the browser software with a packet (known as a 
"cookie") of session state data. The browser software then 
returns a copy of the cookie to the Web server computer 
together with a subsequent request, allowing the Web server 
computer to treat the initial and subsequent requests as parts 
of a unified session. 

Often, to respond to such a request, the Web server 
computer relies on memory buffers in which the requested 
information is gathered prior to transmission to the browser 
software. The memory buffers are initially allocated by an 
operating system procedure. In some operating systems, 
before allowing use of the buffers, the procedure "cleans" 
each buffer by filling each buffer with the same standard data 
string, e.g., "0" or hexadecimal "BA CF ED". 

SUMMARY OF THE INVENTION 

In general, in one aspect, the invention features a method 
of controlling access to information in a distributed com- 
puting system. The method includes receiving a request (for 
the information) accompanied by encrypted session state 
data (e.g., provided as a generic cookie), and, based on the 
encrypted session state data, determining whether to pass the 
request to a source (e.g., a server computer) of the infor- 
mation. 

Implementations of the invention may include one or 
more of the following features. The encrypted session state 
data may define an information- accessing session (e.g., by 
including a unique identifier for the session), and may be 
valid for a limited duration (e.g., in accordance with an 
expiration time indication included in the encrypted session 
state data). The encrypted session state data may also define 
information sources (e.g., organized in a hierarchy) for 
which a user has access authorization (e.g., corresponding to 
a portion of the hierarchy). If the information is available 
from multiple sources (e.g., multiple server computers), 
based on the encrypted session state data, the request may be 
caused to pass to a one of the sources to which a previous 
request was passed. 

With this method, a computer system (e.g., a networked 
system of Web servers) is able to keep track of which 
information (in detail) in the system a user is authorized to 
retrieve during a single session, without having to maintain 
state information for the session. For example, if the user is 
authorized to gain access to information from only particular 
applications running on only particular Web servers, the 
encrypted session state data so indicates. In addition, the 
method allows one of the Web servers to serve as a gate- 
keeper to the other Web servers, which relieves the other 
Web servers of the burden of checking for authorization each 
time a request for information is received. 
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In general, in another aspect, the invention features a 
method of controlling access to information. The method 
includes replacing old data in a memory buffer by overwrit- 
ing (e.g., by filling the memory buffer) with a unique 
5 identifier (e.g., that associates the memory buffer with a 
request for the information), and, after the memory buffer 
has received new data and a procedure has been executed for 
copying the contents of the memory buffer to a destination, 
determining whether the unique identifier may be found at 
to the destination. 

Implementations of the invention may include one or 
more of the following features. A directive may be received 
for causing the memory buffer to be allocated with a 
specified size, and the memory buffer may be allocated with 
15 an increased size (e.g., larger than the specified size by at 
least an amount equal to twice the unique identifier's size). 

This method not only helps prevent unintended dissemi- 
nation of the old data that resided in the memory buffer just 
after allocation, but also helps prevent the new data in the 
20 memory buffer from being provided to a user that lacks 
authorization for access to the new data. 

Other advantages and features will become apparent from 
the following description and from the claims. 

25 BRIEF DESCRIPTION OF THE DRAWINGS 

FIGS. 1, 4 are block diagrams of a computer system. 

FIGS. 2A-2B are flow diagrams for a procedure executed 
by the computer system. 
30 FIGS. 3, 5 are block diagrams helpful for understanding 
the procedure of FIGS. 2A-2B. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

35 FIG. 1 illustrates a computer system 10 in which a client 
computer 12 is connected by a Web server network 14 (such 
as a network based on Internet and World-Wide Web 
protocols) to a Web server computer 16 that is coupled to 

4Q multiple back-end server computers 18-24 by a back-end 
network 26. The client computer runs browser software 28 
(such as Netscape® Navigator™ version 2.0 or 3.0 or 
Microsoft® Internet Explorer version 3.01) to gain access 
(via server system software 30 and gatekeeper software 31 

45 running on the Web server computer) to information from 
one or more application software instances 32-38 running 
on one or more of the back-end server computers. 

The information is organized into pages that are logically 
arranged in accordance with a hierarchical directory struc- 

50 ture that allows the browser software to identify each of the 
pages by a Uniform Resource Locator string ("URL") such 
as "http: //www. xyz.com/accou nts/ab/p age 1 .html." 

In such a URL, "www.xyz.com" refers to all of the 
aforementioned application software instances generally, 

55 "/accounts" refers to a group (known as a "realm") of these 
instances, and "/ab" refers to a specific type of the instances 
in the "/accounts" realm, as described below. 

At the client computer, a user specifies the pages of 
information (e.g., for viewing) by directing the browser 

60 software to send URL-based requests to the server system 
software. The gatekeeper software is provided to prevent the 
user from gaining access to any of the pages other than those 
of the pages for which the user has authorization. According 
to the invention, access is prevented by using a special- 

65 purpose information string known as a "smart cookie" that 
is passed between the browser software and the server 
system software. (The specification for a generic cookie — 
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session state object — is described in "Persistent Client State authorization, the user's SSN (LB$I) for future reference, 

HTTP Cookies" and other electronic documents available on authorized application codes (LBSA) specifying the appli- 

the World-Wide Web at <http://cgi.netscape.com/newsrefi/ cation software types for which the user has authorization, 

std/cookie 13 spec.html>, and incorporated by reference.) application-specific data (LB$D), and an expiration time 

The smart cookie is created by the gatekeeper software at the 5 indicator (SP$T) for the session (step 1080). 

beginning of an information-accessing session initiated by In thc cxample of RG 31 the ticket has a prcd et C rmined 

the user, and is provided tc .the browser software for storage format and .^des «00OOO0O068'' to indicate that this 

in a cookie memory 39 of the client computer. Thereafter session b ^ usef fa ^ sixty ^ ighth session (overaU( not 

during the session, the smart cookie accompanies URL- merel for me user) to be authenticated other means of 

based requests from the browser software to the server 10 ^ { identifying the session may be used, including 

system software, and allows the gatekeeper software to choosing a number based on a pseudo . random process. The 

prevent unauthorized access. Ucket alsQ inchldes « LO Gl" to indicate that a "LOG1" 

FIGS. 2A-2B illustrate a procedure 1000 executed by the instance 0 f logging application software is to be used to 

computer system to control access to the pages of informa- fecord information about the user's activity during this 

tion. First, a URL-based request for information is received 15 sessiorii i^Hy^ tb e ticket includes "AUTH1" to indicate that 

by the server system software from the browser software aQ « A rjTHll" instance of the authenticator application sofi- 

(step 1010). The request includes a data packet (made up of wafe was reS ponsible for authentication in this session, 

the URL and other computer data) that is transferred across ^ autnorized realm indicator ^ pjQ 3 indicates that the 

the Web server network in accordance^protocols known ^ ^ ^ ^ q{ ^ Umited at least 

as HyperText Transport Protocol ( HTTP (described m ^ t0 an . /accounts » realm that consists of pages of information 

Fielding et al "Hypertext Transfer ?™^f-KTTP/ll ^ lication instances 32> 34j 36> ^ autho . 

(January 1997), available ; on the World-Wide ^Web at <http:// ^ y cation ^ ^ and « crr ^dicM that the 

www.w3.org/pub/WW/Protocols/rfc2068/rfc2068>, and ^ ^ fc Kmited {Q Qf informalion from 

incorporated by reference; and i ^rners-L^e et al Hypertext Ucation software ^ es ^ "CD" (or application 

Transfer Protoco^H™ 25 ^ with name s assodated with codes "AB" and "CD"). 

World-Wide Web at <http://ds.interaic.net/rfc/rfcl945.txt>, Ji i ( 

and incorporated by reference) and HyperText Transport In he appucaUon-speaficdata of FIG. 3 AB2 indicates 

Protocol lecure ("HTTPS") (described in "Netscape Data that the gatekeeper should direct requests for AB -type 

Security" and other electronic documents available^ the P^ s of f™'?>n ^Z^^or 

World-Wide Web at <http://cgi. netscape. com/newsref7refy 3 o ? ™ \™*&> for th f .^ os& f load-balanang scaling, or 

netscape-security.html>, and incorporated by reference; and ^It-tolerance, application software instance 34 may pro- 

Freier et al, "The SSL Protocol Version 3.0" (March 1996) Vlde the ^ of ^formation as application software 

. « * j t rt -i oK iI ^uti*s-n instance 32. In such a case, if application software instance 

and other electronic documents available at <nttp:// , j u At • «at}»*™ 

, t / / 1^/ i tnn u tm ^ nn A in^JLn 34 has already been used for processing an "AB -type 

home.netscape.com/ene/ssl3/ssl-toc.html>, and mcorpo- . J . r • . M *i • 

. . ? \ k a- « *u • request in a session, application software instance 34 is 

rated by reference). According to the generic cookie 35 * rv « A „„ . t * fU 

•xi \- t,™ a uttdc t k fl ^1 „ n ^^t re-used for each subsequent "AB"-type request in the ses- 
specification, HTTP, and HHPS, the data packet may . * 1 * -r* * t n j 
• 1 j /■ «l j ^ *u „„„i,-a i 0 „( ™ sion. Such re-use not only facilitates management ot load- 
include (in a headed section of the packet) at least one 7 , r * , . ., 
. v " r / balancing, but also takes advantage of caching and similar 

generic coo e. . . . . 4 . 4 , performance-enhancement features provided by the back- 

The gatekeeper software determines whether the request * mmfflitpr v 

includes a generic cookie named "PRIVATE" (step 1020). If 40 ™d server computer 

not, the browser software is provided with a response that % indicator of FIG. 

presents the user with a login display having blank fields for 3 (£9^123 0000"), the smart cookie is not valid after 

a social security number or other user ID ("SSN") and a 11:00 PM on Jun ' ^ 1991 ' . _ 

personal identification number ("PIN") (step 1030). After After the subcookies are created, the smart cookie 102 

the user fills in the fields, the gatekeeper software receives 45 ( FIG - 3 ) is created ( ste P 109 °) ^ shown m FIG " 3 ' b y 

the SSN and the PIN (step 1040). Based on the SSN and the concatenating the subcookies (delimited by semicolons and 

PIN, it is determined whether the user is authorized to have spaces) and then encrypting and converting to a text repre- 

access to any of the pages of information (step 1050). The sentation 104 of hexadecimal notation, to produce an 

determination is based on a comparison of the PIN to a PIN encrypted text string. Preferably, the encryption is based on 

of record provided for the SSN by authenticator application 50 a 12S ~ bit P rivale ke y mcd m accordance with a message 

software 40 (FIG. 1) running on an authentication server digest construct standard such as MD5 (described in R. 

computer 42 (which may be linked to another computer, not Rivest, "The MD5 Message-Digest Algorithm" (April 

shown, that stores the PIN of record in a database). If the 1992), which is available on the World-Wide Web at <http:// 

PIN does not match the PIN of record, it is determined that andrew2.andrew.cmu.edu/rfc/rfcl32Lhtml>, and incorpo- 

the user is not authorized to have access, and the browser 55 rated by reference). However, any type of encryption may be 

software is provided with a response indicating that access used, depending on the level of access security required, 

is denied (step 1060). Finally, the smart cookie is provided as a generic cookie 

However, if the PIN matches the PIN of record, additional named "PRIVATE" to the client computer for storage in the 

authorization details are determined for the user (e.g., from cookie memory (step 1100). At this point, after having sent 

a computer linked to the authentication server computer) 60 the request that lacked the generic cookie named "PRI- 

(step 1070). These authorization details specify, e.g., the VATE" (step 1020), the user is now equipped to gain access 

realm and the application software types for which the user to the pages of information for which the user has authon- 

has authorization. Based on these details, a subcookie (i.e., zation. 

a cookie item) is created for each of the following (as On the other hand, if it is determined that the request 

exemplified in FIG. 3): a ticket (LB$T) uniquely identifying 65 already includes a generic cookie named "PRIVATE" (i.e., 

this session by the user, an authorized realm indicator the smart cookie described above) (step 1020), the computer 

(LBSR) defining the realm for which the user has system executes as follows. The subcookies described above 
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are derived from the smart cookie (step 1110). It is deter- be invoked. (The association of "0.401" with the Connect( 

mined whether the ticket is valid (step 1120). The ticket is ) function is made when the gatekeeper software 

invalid if the ticket lacks the predetermined format described — implemented as one or more Dynamic Link Library 

above or has expired according to the expiration time ("DLL") files — is started and registers at that time with the 

indicator, in which case the browser software is provided 5 server system software.) 

with a response indicating that access is denied (step 1060). Similarly, the Web server computer also has a back-end 

Otherwise, based on the request, a set of application application registry 57 that associates application software 

software instances is identified (step 1130). This identified instances with respective UserConnect ( ) functions 

set is determined by the URL included in the request. For (described below). Each of these associations is provided 

example, with respect to FIG. 1, if the URL includes 10 when the respective application software instance is started. 

"http:/Avww.xyz.com/accounts/AB", "http://www.xyz.com/ After the Connect ( ) function is invoked, the gatekeeper 

accounts/CD", or "http://www.xyz.com/purchasing/EF", the software causes the application software instance 34 

identified set includes instances 32 and 34, instance 36, or (hereafter referred to as the back-end application software 

instance 38, respectively. 34) to direct that a back-end server buffer (variable-sized 58 

Based on the authorized application codes (and the autho- 15 or fixed-size 60 as described below) of a specified size be 

rized realm indicator) derived from the smart cookie, it is allocated in the back-end memory (step 1160). Such a 

then determined whether the user is authorized to have direction is accomplished in the following way. By parsing 

access to the identified set (step 1140). For example, the the URL in accordance with the smart-cookie-based access 

authorized realm indicator may include "/test" and the authorization described above, the gatekeeper software 

authorized applications codes may include "GH" and "IJ". 20 determines that the back-end application software should 

In such a case, if the URL includes "/working/GH", the process the request. Across the RPC function-call bridge 

authorized realm indicator blocks access to a corresponding 48-54 and based on the appropriate association in the 

"GH" application software instance even though the autho- back-end application registry, the gatekeeper software then 

rized applications codes include "GH". If the user is not invokes the "UserConnect(URL,ticket)" function of the 

authorized to have access, the browser software is provided 25 gatekeeper interface software. The back-end server com- 

with a response indicating that access is denied (step 1060). puter has a global variable 62 (known as "g_pTheApp") 

Otherwise, based on the application-specific data (e.g., ^at is set when the back-end application software is started 

indicating "AB2" in FIG. 3) derived from the smart cookie, and that points to a different "UserConnect(URL,tickeQ" 

the gatekeeper determines a specific application software function (that is provided by the back-end application 

instance (e.g., instance 34) for processing the request (step software). Using g_pTheApp, the gatekeeper interface soft- 

1150). The application-specific data may lack an indication ware invokes the back-end application software's 

of a specific instance (e.g., because the request is the "UserConnect(URL,ticket)" function, which is provided 

session's first involving a particular type of application with the URL from the request and the ticket from the smart 

software instance). If so, the instance is selected according cookie accompanying the request. As a result, the back-end 

to a load-balancing strategy and is noted for future reference application directs that the back-end buffer be allocated, 

in application-specific data provided in an updated smart with a specified size. (Preferably the back-end variable-size 

cookie that accompanies a substantive response to the buffer is used only if the back-end fixed-size (e.g., 64 

request, as described below. kilobyte) buffer is too small for the information to be 

The request then causes interaction between the Web 40 included in the substantive response.) 

server computer and one of the back-end server computers The gatekeeper interface software then causes the B-E OS 

(e.g., computer 20) as described below to produce the to allocate as described above, except with an increased size 

information requested for inclusion in the substantive equal to the specified size plus twice the size of the ticket 

response. In the interaction, the ticket is used for helping to (step 1170). The increased size is used instead of the 

prevent the substantive response from including any infor- 45 specified size to help ensure that the back-end buffer has 

mation to which the user lacks authorized access. sufficient space for both the ticket and the information to be 

In particular, with reference now also to FIG. 4, the Web included in thc substantive response, as described below, 

server computer also runs Web server operating system FIG. 5 shows an example of the buffer as allocated 

software ("WS OS") 46 and Remote Procedure Call initially, including a ticket area 70 that is provided as a result 

("RPC") client software 48 and has a Web server memory 50 of tne use of lne increased size instead of the specified size. 

49. The back-end server computer also runs back-end server Initially, the buffer (including the ticket area) includes old 

operating system software ("B-E OS") 50, gatekeeper inter- data (i.e., the data held in the buffer's locations before 

face software 52, and RPC server software 54, and has a allocation) such as the contents of one or more previous 

back-end memory 55. By converting between local function back-end buffers. (As such back-end buffers are allocated, 

calls and network requests (as described in "RPC: Remote 55 used, and de-allocated in the back-end memory, portions of 

Procedure Call Protocol Specification Version 2" (June the back-end memory are re-used each time.) 

1988), available on the World-Wide Web at ftp:// After the B-E OS allocates the back-end buffer, the 

ds.internic.net/rfc/rfcl057.txt, and incorporated by gatekeeper interface software fills the back-end buffer with 

reference), the RPC client and server software pair provide the ticket (step 1180) as exemplified in FIG. 5, where the 

a function-call bridge 48-54 that allows the gatekeeper 50 ticket is "TICKET' represented in American Standard Code 

software to invoke directly functions provided by the gate- for Information Interchange ("ASCII") hexadecimal nota- 

keeper interface software. tion as "54 49 43 4B 45 54". Note that the ticket fills the 

The Web server computer also has a Web server registry ticket area as well as the rest of the buffer. Because the ticket 

56 that associates types of URLs with software functions. In area is twice the size of the ticket, the ticket appears in full 

particular, if the request's URL includes "0.401", the server 65 in the ticket area at least once. 

system software determines from the Web server registry Next, the back-end application overwrites the information 

that a Connect( ) function of the gatekeeper software should requested into the back-end buffer (step 1190), as exempli - 
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fied in FIG. 5. For example, the information requested may 
include text data derived from a database 72 stored across a 
mainframe network 74 (FIG. 4) on a mainframe computer 
76, and provided for display at the client computer. Note that 
because the back-end buffer has the increased size (instead 
of the specified size that was designated and is expected by 
the back-end application), the information requested does 
not overwrite the ticket area, in which the ticket still appears 
(absent an error). 

The "UserConnect(URL,ticket)" function (that is pro- 
vided by the back-end application software) then terminates, 
which leads to the allocation of a corresponding Web server 
buffer (Web server variable-size buffer 78 or Web server 
fixed-size buffer 80) that has the same size as the back-end 
buffer (step 1200). The Web server buffer is so allocated by 
the WS OS. Across the function-call bridge, the contents of 
the back-end buffer are copied to the Web server buffer (step 
1210). (Subsequently, the back-end buffer is de-allocated to 
allow re-use of the back-end buffer's share of the back-end 
memory.) 

At this point, the gatekeeper software determines whether 
the Web server buffer includes the ticket (step 1220). If the 
ticket is so included, the information requested is provided 
(from the Web server buffer) in the substantive response 
(step 1230), and the procedure terminates. As noted above, 
if an updated smart cookie has been produced, the updated 
smart cookie accompanies the substantive response and 
replaces the existing smart cookie in accordance with the 
generic cookie specification also noted above. 

However, if the ticket is not so included (indicating a 
problem such as the copying of the wrong information firom 
the back-end memory), information is not provided from the 
Web server buffer. Instead, a response including an error 
report is provided (step 1240), and the procedure terminates. 

One or more of the pages of information may include text 
formatted in accordance with, e.g., a specification known as 
Hypertext Markup Language ("HTML"). The browser soft- 
ware may be, e.g., Netscape® Navigator™ version 2.0 or 
3.0 (as mentioned above) or Microsoft® Internet Explorer 
version 3.0, or any other software allowing use of a generic 
cookie. One or more of the server computers may include, 
e.g., a Sun™ UltraSPARC™ or a Compaq® ProLiant™ 
running an operating system such as Solaris™ or 
Microsoft® Windows® NT, or an IBM® RS6000 running 
an operating system such as IBM® OS/2 or AIX. One or 
more of the networks may be based on a protocol such as 
Transmission Control Protocol and Internet Protocol ("TCP/ 
IF'). The client computer may include a personal computer 
having a processor such as an Intel® Pentium®. One or 
more of the operating systems may be, e.g., Microsoft® 
Windows® NT, Microsoft® Windows® 95, UNIX®, 
OS/2®, or Java™. The mainframe computer may include, 
e.g., an IBM® 3090 running an operating system such as 
IBM® MVS 5.2, or a Pyramid® NILE™ computer. 

The technique (i.e., the procedure described above) may 
be implemented in hardware or software, or a combination 
of both. Preferably, the technique is implemented in com- 
puter programs (such as the gatekeeper software and gate- 
keeper interface software described above) executing on 
programmable computers that each include a processor, a 
storage medium readable by the processor (including vola- 
tile and non-volatile memory and/or storage elements), at 
least one input device such as a keyboard, and at least one 
output device. Program code is applied to data entered using 
the input device to perform the method described above and 
to generate output information. The output information is 
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applied to one or more output devices such as a display 
screen of the client computer. 

Each program is preferably implemented in a high level 
procedural or object-oriented programming language (such 
5 as Microsoft Visual C++ version 4.0) to communicate with 
a computer system. However, the programs can be imple- 
mented in assembly or machine language, if desired. In any 
case, the language may be a compiled or interpreted lan- 
guage. 

10 Each such computer program is preferably stored on a 
storage medium or device (e.g., ROM or magnetic diskette) 
that is readable by a general or special purpose program- 
mable computer for configuring and operating the computer 
when the storage medium or device is read by the computer 
to perform the procedures described in this document. The 

15 system may also be considered to be implemented as a 
computer-readable storage medium, configured with a com- 
puter program, where the storage medium so configured 
causes a computer to operate in a specific and predefined 
manner. 

20 Other embodiments are within the scope of the following 
claims. For example, if the back-end fixed-size buffer serves 
as the back-end buffer, the back-end buffer may be filled 
with the ticket before the "UserConnect(URL,ticket)" func- 
tion (that is provided by the back-end application software) 
25 is invoked. 

The application-specific data may include details (such as 
limited authorization details, or selections for time zone, 
language, or currency) that are useful to the application 
software itself, which may retrieve such details by invoking 
30 functions of the gatekeeper software. 

To reduce the opportunities for the smart cookie to be 
replaced by a garbled updated smart cookie, the updated 
smart cookie may accompany substantive responses to 
requests for text data only. Or, for similar reasons, the 
updated smart cookie may accompany substantive responses 
to all requests except for requests relating to retrieval of 
supporting data such as image data. 
This patent document (including the microfiche appendix) 
40 contains material that is subject to copyright protection. The 
copyright owner has no objection to the facsimile reproduc- 
tion by anyone of the patent document as it appears in the 
Patent and Trademark Office file or records, but otherwise 
reserves all copyright rights whatsoever. 
45 What is claimed is: 

1. A method of controlling access to information in a 
distributed computing system, the method comprising: 
receiving a request for the information, the request 
accompanied by encrypted session state data, the 
50 encrypted session state data being valid for a limited 
duration; and 

based on the encrypted session state data, determining 
whether to pass the request to a source of the informa- 
tion. 

55 2. The method of claim 1, further comprising: 

providing the encrypted session state data as a generic 
cookie. 

3. The method of claim 1, wherein the encrypted session 
state data defines an information-accessing session. 
60 4. The method of claim 1, wherein the encrypted session 
state data includes a unique identifier for an information- 
accessing session. 

5. The method of claim 1, wherein the encrypted session 
state data comprises an indication of an expiration time. 
65 6. The method of claim 1, further comprising: 

if the in formation is available from multiple sources, 
based on the encrypted session state data, causing the 
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request to be passed to a one of the sources to which a 
previous request was passed. 

7. The method of claim 1, wherein the encrypted session 
state data defines information sources for which a user has 
access authorization. 

8. The method of claim 7, wherein 

the information sources are organized in a hierarchy; and 
the encrypted session state data defines a portion of the 
hierarchy, the user having access authorization corre- 
sponding to the portion. 

9. A method of controlling access to information, the 
method comprising: 

in a memory buffer, replacing old data by overwriting 
with a unique identifier; and 

after the memory buffer has received new data and a 
procedure has been executed for copying at least some 
of the contents of the memory buffer to a destination, 
determining whether the unique identifier may be found 
at the destination. 

10. The method of claim 9, further comprising 
receiving a request for the new data, wherein the unique 

identifier associates the memory buffer with the 
request. 

11. The method of claim 9, further comprising: 
filling the memory buffer with the unique identifier. 

12. The method of claim 9, further comprising 
receiving a directive to cause the memory buffer to be 

allocated with a specified size; and 
causing the memory buffer to be allocated with an 
increased size. 

13. The method of claim 12, wherein 

the unique identifier has an identifier size; and 
the increased size is larger than the specified size by at 
least an amount equal to twice the identifier size. 

14. A method of controlling access to information, the 
method comprising: 

providing encrypted session state data to browser soft- 
ware running on a client computer, the encrypted 
session stale data including a unique identifier for an 
information-accessing session; 

at a gatekeeper computer, receiving a request for the 
information, the encrypted session state data accompa- 
nying the request; 

based on the encrypted session state data, determining 
whether to pass the request to a server computer 
serving as a source for the information; 

at the server computer, directing that a memory buffer be 
allocated with a specified size; 

causing the memory buffer to be allocated with an 
increased size being larger than the specified size by 
amount equal to twice the unique identifier's size; 

filling the memory buffer with the unique identifier; 

providing the information in the memory buffer; 

at the gatekeeper computer, causing a gatekeeper memory 
buffer to be allocated with the increased size; 

copying the contents of the memory buffer to the gate- 
keeper memory buffer; 

determining whether the unique identifier may be found in 
the gatekeeper memory buffer; and 

if the unique identifier is found in the gatekeeper memory 
buffer, providing the information in a substantive 
response to the browser software. 

15. Computer software, residing on a computer- readable 
storage medium, comprising instructions for use in a com- 
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puter system to controlling access to information in a 
distributed computing system, the instructions causing the 
computer system to: 

receive a request for the information, the request accom- 
5 panied by encrypted session state data, the encrypted 
session state data being valid for a limited duration; and 
based on the encrypted session state data, determine 
whether to pass the request to a source of the informa- 
tion. 

to 16. The computer software of claim 15, wherein the 
computer software further comprises instructions for caus- 
ing the computer system to: 
provide the encrypted session state data as a generic 
cookie. 

15 17. The computer software of claim 15, wherein the 
encrypted session state data defines an information- 
accessing session. 

18. The computer software of claim 15, wherein the 
encrypted session state data includes a unique identifier for 

20 an information-accessing session. 

19. The computer software of claim 15, wherein the 
encrypted session state data comprises an indication of an 
expiration time. 

20. The computer software of claim 15, wherein the 
25 computer software further comprises instructions for caus- 
ing the computer system to: 

if the information is available from multiple sources, 
based on the encrypted session state data, cause the 
request to be passed to a one of the sources to which a 
30 previous request was passed. 

21. The computer software of claim 15, wherein the 
encrypted session state data defines information sources for 
which a user has access authorization. 

22. The computer software of claim 21, wherein 

35 the information sources are organized in a hierarchy; and 
the encrypted session state data defines a portion of the 
hierarchy, the user having access authorization corre- 
sponding to the portion. 

23. Computer software, residing on a computer-readable 
40 storage medium, comprising instructions for use in a com- 
puter system to control access to information, the instruc- 
tions causing the computer system to: 

in a memory buffer, replace old data by overwriting with 
4s a unique identifier; and 

after the memory buffer has received new data and a 
procedure has been executed for copying at least some 
of the contents of the memory buffer to a destination, 
determine whether the unique identifier may be found 
5Q at the destination. 

24. The computer software of claim 23, wherein the 
computer software further comprises instructions for caus- 
ing the computer system to: 

receive a request for the new data, wherein the unique 
55 identifier associates the memory buffer with the 
request. 

25. The computer software of claim 23, wherein the 
computer software further comprises instructions for caus- 
ing the computer system to: 

60 fill the memory buffer with the unique identifier. 

26. The computer software of claim 23, wherein the 
computer software further comprises instructions for caus- 
ing the computer system to: 

receive a directive to cause the memory buffer to be 
65 allocated with a specified size; and 

cause the memory buffer to be allocated with an increased 
size. 
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27. The computer software of claim 26, wherein 
the unique identifier has an identifier size; and 

the increased size is larger than the specified size by at 
least an amount equal to twice the identifier size. 

28. Computer software, residing on a computer-readable 
storage medium, comprising instructions for use in a com- 
puter system to control access to information, the instruc- 
tions causing the computer system to: 

provide encrypted session state data to browser software 
running on a client computer, the encrypted session 
state data including a unique identifier for an 
information-accessing session; 

at a gatekeeper computer, receive a request for the 
information, the encrypted session state data accompa- 
nying the request; 

based on the encrypted session state data, determine 
whether to pass the request to a server computer 
serving as a source for the information; 
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at the server computer, direct that a memory buffer be 

allocated with a specified size; 
cause the memory buffer to be allocated with an increased 

size being larger than the specified size by amount 

equal to twice the unique identifier's size; 
fill the memory buffer with the unique identifier; 
provide the information in the memory buffer; 
at the gatekeeper computer, cause a gatekeeper memory 

buffer to be allocated with the increased size; 
copy the contents of the memory buffer to the gatekeeper 

memory buffer; 
determine whether the unique identifier may be found in 

the gatekeeper memory buffer; and 
if the unique identifier is found in the gatekeeper memory 

buffer, provide the information in a substantive 

response to the browser software. 
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